Method for Stateful Firewall Inspection of ICE Messages

1. A management system, comprising: a processor generating a token to be inserted into a signaling message and then comparing the token with an unauthorized message received at a security device to authorize forwarding by the security device; and the processor receiving an authorization request including an entire Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (STUN) request that includes the token and the processor removing the token and sending the entire tokenless STUN request back to the security device.

2. The management system of claim 1 wherein the unauthorized message is an Interactive Connectivity Establishment (ICE) message.

3. The management system according to claim 1 wherein the processor further compares contact information included in the signaling message to contact information included in the unauthorized message.

4. The management system according to claim 1 , wherein the processor operates in a policy server or a firewall controller.

5. The management system according to claim 4 wherein an authorization is sent by the processor to a firewall, a NAT, or any other security device.

6. A security system comprising: a processor sending an authorization request for an unauthorized message, the unauthorized message including an authorization token; and forwarding the unauthorized message when the authorization request is validated; and where the processor opens a pinhole when a validation message is received back in response to the forwarded unauthorized message; wherein the pinhole is a path through a security device through which messages associated with a particular source address may pass.

7. The security system of claim 6 , where the authorization request includes the authorization token to be used for validation.

8. The security system of claim 6 further comprising the processor multicasting a Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (STUN) transaction identifier to other security devices in a same multicast group.

9. The security system of claim 6 wherein the unauthorized message is an Interactive Connectivity Establishment (ICE) message including a STUN request.

10. The security system of claim 6 wherein opening the pinhole further includes comparing a STUN transaction identifier included in the unauthorized message with a STUN transaction identifier included in the validation message.

11. A method for authorizing communications across asymmetric security devices comprising: receiving a first message that includes first media information associated with an outgoing communication, the first message sent from a first asymmetric security device processing the outgoing communication; storing the first media information; receiving a first authorization request from a second different asymmetric security device, the first authorization request including second media information associated with an unauthorized incoming communication; comparing a first value from the first media information to a second value from the second media information; and authorizing the second different asymmetric security device to forward the unauthorized incoming communication according to the comparison.

12. The method of claim 11 including storing a Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (STUN) transaction identifier located in the first authorization request.

13. The method of claim 12 including sending the STUN transaction identifier to a first asymmetric security device.

14. The method of claim 11 further comprising: receiving a second authorization request associated with an unauthorized outgoing communication received at a first asymmetric security device and comparing a value of a STUN transaction identifier located in the second authorization request to the stored value; authorizing the first asymmetric security device to forward the unauthorized outgoing communication according to the comparison.

15. The method of claim 11 where the unauthorized incoming communication is an Interactive Connectivity Establishment (ICE) message.

16. A method comprising: identifying an outgoing message containing a payload having a unique identifier; attaching an opaque token to the unique identifier before communicating the outgoing message, the opaque token to be used for verifying an incoming message at a security device, said attachment to cause a remote endpoint originating a communication that contains the unique identifier to automatically include the opaque token therein independently of whether the remote endpoint is aware of the presence of the opaque token; receiving at the security device the incoming message having a payload containing the unique identifier, the unique identifier having the opaque token attached thereto; sending a verification message including the opaque token, the verification message sent from the security device to a management device; and communicating the incoming message if authorization is received for the incoming message.

17. The method of claim 16 wherein the verification message includes an entire Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (STUN) request.

18. The method of claim 17 wherein the verification message is sent responsive to the security device observing the presence of the opaque token in the incoming message.

19. The method of claim 18 including: receiving an unauthorized outgoing communication after communicating the incoming message; and sending an authorization request to the management device to determine whether to forward the unauthorized outgoing communication.

20. A system for authorizing communications across asymmetric security devices comprising: means for receiving a first message that includes first media information associated with an outgoing communication; means for storing the first media information; means for receiving a first authorization request from a first asymmetric security device, the first authorization request including second media information associated with an unauthorized incoming communication; means for comparing a first value from the first media information to a second value from the second media information; and means for authorizing the first asymmetric security device to forward the unauthorized incoming communication according to the comparison.

21. The system of claim 20 including means for storing a Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (STUN) transaction identifier located in the first authorization request.

22. The system of claim 20 further comprising: means for receiving a second authorization request associated with an unauthorized outgoing communication received at a second asymmetric security device and comparing a value of a STUN transaction identifier located in the second authorization request to the stored value; means for authorizing the second asymmetric security device to forward the unauthorized outgoing communication according to the comparison.

23. The system of claim 20 where the unauthorized incoming communication is an Interactive Connectivity Establishment (ICE) message.

24. The system of claim 20 wherein the first message is received at a call controller.

25. The system of claim 20 including means for receiving an unauthorized outgoing communication after forwarding the first message; and means for sending an authorization request to determine whether to drop or forward the unauthorized outgoing communication.